Almost 2 years ago, 2-sec founded the PCI SSC's Third Party Security Assurance SIG, following the PCI SSC Community Meeting in Dublin.
The aim of the SIG was to incorporate third party security assurance guidance into PCI DSS v3.0 and to produce an information supplement. Sounds easy, doesn't it?
But with input from over 200 interested parties, which included card schemes, banks, service providers and a surprisingly small number of merchants, it took a bit of time to put together something that was mutually agreeable by all those involved.
We're proud to say on August 7 we'd met the original objectives of the SIG and the PCI SSC published our guidance.
We tried to be as practical as possible in our recommendations, and this guidance is the most in-depth published by the PCI SSC to date, and should leave no doubt in people's minds what a Third Party Service Provider (TPSP) actually is.
Our CEO, Tim Holman said “I originally came up with the idea for the Third Party Security Assurance SIG as I'd always seen service provider guidance in PCI DSS as being pretty poor, and open to interpretation. During audit work, I'd often here an argument from the Merchant or Service Provider's perspective that they didn't really think certain providers should fall into PCI DSS scope. I'm pleased to say the new guidance clearly defines who service providers are, and what entities should be doing to risk assess and validate compliance.”
As PCI DSS v3.0 comes into full effect on January 1st 2015, then so does this guidance, as it specifically states how to meet each service provider control objective.
The guidance can be downloaded here